Daily News
View All NewsEurope – Safe Harbour declared invalid
The US Safe Harbour scheme has been declared invalid by the Court of Justice of the European Union (CJEU). According to international law firm Osborne Clarke, this decision is hugely significant for companies that rely on Safe Harbour as a simple and cost-effective legally compliant mechanism to transfer European personal data to group companies or suppliers in the US.
Companies will now need to consider additional compliance steps to ensure an adequate level of protection for EU-US data transfers, or face potential regulatory action.
Osborne Clarke has outlined what this judgment means for businesses.
The Case: Case C-362/14 Maximillian Schrems v Data Protection Commissioner - In 2013, former CIA analyst Edward Snowden leaked details of mass surveillance activities of European individuals undertaken by US authorities, which were widely viewed as violating European rules. In the wake of these revelations, privacy activist Maximilian Schrems complained to the Irish Data Protection Commissioner (Irish DPC) about the transfer of data from Facebook Ireland to servers in the US.
Mr Schrems argued that US authorities' access to users' personal data meant that Facebook did not ensure an adequate level of protection as required by European law and he asked the Irish DPC to investigate. This was refused as the transfer was made under Safe Harbour – a mechanism for EU-US data transfers that the European Commission had already deemed to be adequate.
Mr Schrems appealed the decision to the Irish High Court, which asked the CJEU whether national data protection authorities are bound by adequacy decisions of the European Commission or whether they may and/or must conduct their own investigations in certain circumstances.
The CJEU has now decided that:
- Safe Harbor is invalid;
- Mass and indiscriminate surveillance activities by US authorities is a violation of the Data Protection Directive and the fundamental rights afforded to European citizens under the Charter of Fundamental Rights of the EU; and
- A data protection regulator must be able to exercise its independence to suspend a transfer if it finds that the protections offered to European individuals are inadequate – i.e. it is not necessarily bound by a European Commission decision of adequacy.
In response, the Commission has already confirmed that negotiations with the US for a “safer” Safe Harbour Framework will continue. It is also committed to working together with the Article 29 Working Party and the national data protection authorities to achieve a uniform application of the CJEU's decision across EU Member States.
So what does this mean for companies?
Businesses that have previously relied on Safe Harbour to ensure an adequate level of protection face an uncertain period during which they will need to adopt alternative solutions.
Regulators are likely to require robust evidence that data is being protected and will very likely demand additional protective measures be put in place for data transfers to the US – such as Binding Corporate Rules (for intra-group transfers) or European Commission approved model clauses – at least until a new Safe Harbour framework is agreed.
The timing for the requirements of additional measures and guidance by regulators is currently unclear. However, while the Safe Harbour option has been rendered invalid with immediate effect, businesses should bear in mind that Binding Corporate Rules can take months to receive regulatory approval, and even model clauses need to be filed and approved by regulators in some parts of the EU.
Fiona Coombe, Director of Legal and Regulatory Research at Staffing Industry Analysts, commented: “This ruling was anticipated, so many international staffing firms will have contingency plans in place. However these may take some time to effect and in the meantime companies which do transfer data from EU member states need to understand what the regulators in those states intend to do.”